This is a very welcome announcement which consists of two initiatives. The first, which Facebook says they are starting to roll out today, is the option to use HTTPS while using Facebook to protect your account and privacy.

In standard Facebook fashion this option is of course opt-out, ahem, opt-in? Yes. Facebook has decided that when it comes to protecting your privacy you must choose to opt-out of sharing, but when it comes to enhancing your privacy you must opt-in.

Aside from this minor quibble, it is great news for those who are concerned about tools like Firesheep stealing their online identities while using unencrypted WiFi. Firesheep is a Firefox extension that was released in October 2010 to enable people to steal authentication cookies from other users on unencrypted WiFi.

Facebook is just one of the services that could be compromised through the use of the tool, and by enabling HTTPS in your profile you are protected against this type of attack.

In Alex’s post he only suggests enabling this feature if you frequently access Facebook from insecure locations. While to a degree this is true, I wouldn’t want to count on having to remember to fiddle with my settings when I am out and about on my iPad/netbook/laptop/smart phone.

The safe thing to do is to turn this on. Hopefully after Facebook enables this feature for all of their users they will consider making it a default option like Google did for the Gmail service.

The second announcement talks about a new form of reverse-Turing test, known more commonly as a CAPTCHA. Facebook is calling this “Social Authentication”.

If they believe your account may have been compromised or is exhibiting suspicious activity they may prompt you for additional information after successfully receiving your correct username and password. The new system when deployed will show you photos of your friends and ask you to identify who they are in the pictures.
This is a clever approach to a difficult problem and will hopefully be a significant speed bump for all of the phishers and scammers who have been targeting Facebook users. Until Facebook begins using this technique it is difficult to say how well it will work, but it is easier and more intuitive than traditional CAPTCHA solutions.

It would appear Social Authentication is there only to thwart bots though, not your angry girlfriend (or birds for that matter). It is another good reason not to expose your photos, friends, and relationship status on your Facebook public profile as well.

If you’re a Facebook user who wants to stay on top of the latest security threats, why not join our Facebook page?

28 comments on “Facebook steps up security, but it’s opt-in?”

I like that photo authentication, sounds like a good alternative for people trying to get back into their accounts. As the hacker is probably someone that doesn't know you very well so couldn't identify those people.

The HTTPS thing should be given to everyone like the new profile pages, most people don't understand the importance of it and will choose not to opt in.

I understand it, but I opt out anyway. It's too much of a pain, because IE keeps asking if i want to see everything on the page, or only what is secure. I know I can use other browsers, and I've used Firefox and Opera in the past. But I tend to stick with IE because i do some simple website development and that's what all my clients use.

I got to use the photo authentication a week or so ago when I had trouble logging into Facebook on my phone, It works well and as it required me to identify 5 friends random guessing was not going to work, actually a really good idea.
I was however surprised when it came up, seeing as they hadn't announced it's implementation back then.
I too am disappointed that the HTTP option is hidden away behind several layers of menu's, I've suggested to the Facebook security page that they should have a SECURE button alongside the HOME, PROFILE & ACCOUNT buttons at the top of the page, that would show they took security seriously, not holding my breath however.

But problem is that https on a mobile browser keeps redirecting to the non secure site after log in. Plus, problem is that the friend verification is a hinderance for even the users themselves, especially gamerr! That is because the games urge you to befriend unknown people in order to unlock specific stuffs.

Plus many of us leave our childhood facebook friends connected but as everone knows feature change and who knows what they would look like in 10 years when Facebook decided to lock my account for any reason.

Plus heavy makeup can obscene pictures. Also some people post game screenshots or animation pictures and tag themselves. Then when my account got locked due to me moving places and thus a different IP address, I was close to ripping my head out as facebook ask me to identify who’s tagged in that pic/screenshot/animation! Grrr!

The identify-the-person-in-the-photo form of authentication has been around for a while. I've run into it twice over the past six months, probably because the network at my office identifies its location as a city about 1,000 kilometers from where I live and work. The problem with it is that about half of my Facebook "friends" are people I have never met, so it took me several failures (after which I had to wait several hours before trying again) before I could get into my account. And if I, a person with only about 60 Facebook "friends," found it a pain, what about those with hundreds?

Great, now I have to delete all the photos I have with people I don't know in them? Those tagged by friends and friends of friends? Is this how I am rewarded for allowing my pictures to be shared in the first place.

I've had to use this new feature twice and had to make wild guesses. Most of my FB friends are people I've never met in person and whose photo albums I almost never access. Some of the photos were them as children – or one woman's rear end way at the back of the photo as she was cleaning out her garage. I guess my profile is going to be VERY secure because even I will have trouble getting into it.

The linked blog post at Facebook (in the first paragraph of this post) says the feature is being rolled-out over the next few weeks but you can access this setting in "Account > Account Settings > Account Security."

Yes but only "selected" people have that feature available to them (feature to enable https:// site wide). It is NOT that auto enable" is being rolled out but it is that the ability to enable "https" site wide.

If you find https too slow, you could always turn it off later. Or Facebook could read up on Google's site how they turned it on in gmail without users finding it too slow. Or Facebook could invest in some new servers to do security properly.

As for breaking third party apps, you could always turn off https later if you want to keep using third party apps which don't care about security. Oh, you say it breaks lots of apps. Name them so people know which apps to avoid.

As for putting insecurity in "quote marks", why?

As for SHOUTING, kindly don't.

As for bringing getting cancer into a discussion on social networks, kindly don't.

Being sensible about security means doing it, not finding excuses why not to do it.

Considering it's importance, opt-out makes more sense. I use https: for everything it's available for and have not noticed significant slowing, but I admit YMMV. If you DO observe problematic slowing or it breaks apps you consider important you can opt-out, but expecting something this important to be opt-in is stupid.

Facebook has not enabled it for any of our research accounts yet. There are instructions in Facebook's blog entry which is the first link in my post. Once it is available to my account I will post more details.

Agreed – what is the benefit of not opting in? I work for Symantec, and we commend Facebook for making this huge move for online security. SSL encryption is important and it will help everyone, but only if we turn it on.

I'd like to see https: as the default for virtually everything. I use it for everything I can, in addition to avoiding all unencrypted wifi. I carry a 3G hotspot so I can use it rather than public wifi.

Facebook keeps demanding a cell phone number when I sign in, and it says it will send the phone a text – IMPOSSIBLE ON MY PHONE – with a key code. I put down my daughter's number, it sent her the code but it is the wrong code. This happens over and over. is there a way to opt out of that cell phone nonsense? Or can I get the system to work so it will give me a code that is good? Of can I make them stop going around in circles that every time I try to put in the phone number the system resets and Ihave to lob back in? If FB is going to demand a cell phone number, the least it should do is WORK!